diff options
author | Cyril Lopez <cylopez@redhat.com> | 2017-03-30 15:54:32 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-07 07:23:33 +0000 |
commit | 44f627c8cd784fd3fa324643b3e131f557317e19 (patch) | |
tree | eba7007d75afc169b7f069759fd5f9d05e342318 | |
parent | 58e4dc837f77a92585a8f54d3cf642014c40bd6e (diff) |
Add a trigger to call ldap_backend define
Ldap_backend is a define so we need a resource to talk it. If
ldap_backend_enable set by tripleo-heat-templates, we call the
ldap_backend as a resource.
Given an environment such as the following:
parameter_defaults:
KeystoneLdapDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
url: ldap://192.0.2.250
user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
password: Secrete
suffix: dc=redhat,dc=example,dc=com
user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
user_objectclass: person
user_id_attribute: cn
user_allow_create: false
user_allow_update: false
user_allow_delete: false
ControllerExtraConfig:
nova::keystone::authtoken::auth_version: v3
cinder::keystone::authtoken::auth_version: v3
It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.
More backends can be added as more entries to that hash.
Partial-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Guillaume Coré <gucore@redhat.com>
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
(cherry picked from commit b8388e378a9151bccbac0db0478b1ef5d1e2e3fb)
-rw-r--r-- | manifests/profile/base/keystone.pp | 16 | ||||
-rw-r--r-- | releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml | 5 |
2 files changed, 21 insertions, 0 deletions
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index 8d8c235..91ebd4d 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -67,6 +67,15 @@ # heat admin user name # Defaults to undef # +# [*ldap_backends_config*] +# Configuration for keystone::ldap_backend. This takes a hash that will +# create each backend specified. +# Defaults to undef +# +# [*ldap_backend_enable*] +# Enables creating per-domain LDAP backends for keystone. +# Default to false +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) @@ -100,6 +109,8 @@ class tripleo::profile::base::keystone ( $heat_admin_email = undef, $heat_admin_password = undef, $heat_admin_user = undef, + $ldap_backends_config = undef, + $ldap_backend_enable = false, $manage_db_purge = hiera('keystone_enable_db_purge', true), $public_endpoint_network = hiera('keystone_public_api_network', undef), $rabbit_hosts = hiera('rabbitmq_node_names', undef), @@ -157,6 +168,11 @@ class tripleo::profile::base::keystone ( ssl_key_admin => $tls_keyfile_admin, } include ::keystone::cors + + if $ldap_backend_enable { + validate_hash($ldap_backends_config) + create_resources('::keystone::ldap_backend', $ldap_backends_config) + } } if $step >= 4 and $manage_db_purge { diff --git a/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml new file mode 100644 index 0000000..0fb9271 --- /dev/null +++ b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml @@ -0,0 +1,5 @@ +--- +features: + - Add keystone::ldap_backend call as resource when is trigged to setup a LDAP + backend as keystone domain. This allows per-domain LDAP backends for + keystone. |